Firewall CC_Deny blocks spammers but also WHM updates

[seenBEST]

I was getting blasted with SPAM through website forms, despite having Captchas in place and other security measures. I was able to analyze the log files over the course of a month and found that the vast majority of form submission SPAM was coming from just 3 ASN.

I blocked these 3 ASN in CC_DENY after extensive research:
AS36352 ColoCrossing
AS55286 Server Mania
AS60068 Datacamp

Luckily after adding those 3 ASN to CC_DENY literally every single web form SPAM stopped. However, a bigger problem developed in that WHM will no longer update. It hangs up trying to update packages. My guess is one of the above ASN hosts some type of updates for WHM.

I asked my managed provider for a solution but nothing really helped. I'm looking for some way to keep my CC_DENY entry while somehow bypassing it just for ports, and I'd need some kind of idea what ports are used for WHM updates. Any idea how I can keep my block in place but CSF whitelist WHM updates?

 

[rscalover]

Hello,

As far as i know CC_DENY is a configserver csf features which allows you to block a whole country by adding the 2 letter iso code for the country you want to block it doesn't allow you to block by asn numbers having said that everybody hates spam and a possible solution could be to whitelist ip addresses that take care of cPanel / whm updates

probably the problem is being caused that ColorCrossing is in the US and so is cPanel so updates are blocked ask somebody from cPanel what ip's you need to whitelist to get around the problem i always see httpupdate.cpanel.net appear but it could be different for you

 

[seenBEST]

Thank you for the reply. I will ask cPanel if they have the update IPs.

I did enter the ASN codes into CC_DENY and it did block by ASN so that feature does work, but unfortunately like you said it seems cPanel or something tied to it uses on of those ASNs for update downloads.

 

[rscalover]

Thank you for the reply. I will ask cPanel if they have the update IPs.

I did enter the ASN codes into CC_DENY and it did block by ASN so that feature does work, but unfortunately like you said it seems cPanel or something tied to it uses on of those ASNs for update downloads.

Your right i just checked it can block asn numbers but your issue remains the same leaving cPanel / whm updates blocked is not an option as sometimes those updates fix security vulnerabilities so whitelisting the "update servers" would solve your issue while keeping the spammers blocked.

Are you using Google Recaptcha on your forms ? i recently switched to hcaptcha and it seems the automated software spammers use have a hard time to decipher them might be an option to though it's probably just a matter of time before hcaptcha get's cracked by the bad guys to.

 

[cPJustinD]

Hello seenBEST!

It sounds like our IPs or perhaps your server IP may be part of one of the ASN's networks. A unique ASN is allocated to each AS for use in BGP routing. ASNs are important because the ASN uniquely identifies each network on the Internet.

I found an online tool that may help you get the CIDR ranges for the ASNs you provided that may provide more information on the networks affected:

https://hackertarget.com/as-ip-lookup/

If this doesn't help you resolve the issue, however, it would be best to open a support ticket to take a closer look. You can submit a support ticket using the "Submit a ticket" link in my signature below. If we find that the issue is unrelated to cPanel specifically, we will do our best to determine the source of the problem and provide the best available guidance that we can offer.

Thank you!